Reputation: 1
I'm able to connect to MQTT broker running in a container with any client certificate
I have created an MQTT broker (Env : Docker Container , baseimage : Ubuntu:18) with self signed certificates with commonname set to localhost.
but i m able to connect to MQTT broker with any client certificate. How do i stop this.
Here is the mosquitto configuration :
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate false
password_file /etc/mosquitto/passwd```
Upvotes: 0
Views: 1591
Answers (1)
Reputation: 59866
If you want to force clients to supply a certificate then you need to have
require_certificate true
Client certificates will need to be signed by a CA that is in cafile or capth to be accepted.
Since the certificate will be used to assert the user's identity the passwd_file will not be used. If you want to use the ACL (with the acl_file to control what topics a given user can use you will need to add use_identity_as_username true or use_subject_as_username true to set which item in the certificate to be the username.
From the man page:
When using certificate based encryption there are three options that affect authentication. The first is require_certificate, which may be set to true or false. If false, the SSL/TLS component of the client will verify the server but there is no requirement for the client to provide anything for the server: authentication is limited to the MQTT built in username/password. If require_certificate is true, the client must provide a valid certificate in order to connect successfully. In this case, the second and third options, use_identity_as_username and use_subject_as_username, become relevant. If set to true, use_identity_as_username causes the Common Name (CN) from the client certificate to be used instead of the MQTT username for access control purposes. The password is not used because it is assumed that only authenticated clients have valid certificates. This means that any CA certificates you include in cafile or capath will be able to issue client certificates that are valid for connecting to your broker. If use_identity_as_username is false, the client must authenticate as normal (if required by password_file) through the MQTT options. The same principle applies for the use_subject_as_username option, but the entire certificate subject is used as the username instead of just the CN.
Upvotes: 1
Related Questions
- Mosquitto broker and TLS configuration
- Unable to connect to Mosquitto Broker when require_certificate is false
- Mosquitto MQTT broker with TLS - client connection errors
- MQTT broker Mosquitto Error with TLS configuration
- Test VerneMQ broker TLS with Mosquitto client
- Mosquitto MQTT client certificate exception
- Getting AuthenticationException when connect M2Mqtt.MqttClient to Mosquitto broker with TLS
- SSL/TLS certificates on the MQTT broker and Client should be same?
- mosquitto MQTT broker and Java client with SSL / TLS
- Access MQTT broker in Docker container